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Abstract 

We consider the problem of distance bounding verification (DBV), where a proving party claims a distance and a verifying 
party ensures that the prover is within the claimed distance. Current approaches to "secure" distance estimation use signal's time 
of flight, which requires the verifier to have an accurate clock. We study secure DBV using physical channel properties as an 
alternative to time measurement. We consider a signal propagation environment that attenuates signal as a function of distance, 
and then corrupts it by an additive noise. 

We consider three attacking scenarios against DBV, namely distance fraud (DFA), mafia fraud (MFA) and terrorist fraud (TFA) 
attacks. We show it is possible to construct efficient DBV protocols with DFA and MFA security, even against an unbounded adver- 
sary; on the other hand, it is impossible to design TFA-secure protocols without time measurement, even with a computationally- 
bounded adversary. We however provide a TFA-secure construction under the condition that the adversary's communication 
capability is limited to the bounded retrieval model (BRM). We use numerical analysis to examine the communication complexity 
of the introduced DBV protocols. We discuss our results and give directions for future research. 
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I. Introduction 

Consider a server machine that aims to provide its clients with different services based on how close they are to the server 
location: There are / distinct distances c?i < • • • < d/ as well as services Si, . . . ,Si such that a client is eligible for service 
Si (and all Sj for j > i) if and only if he is located at a distance < di. To receive a service Si, the client simply sends a 
corresponding service request to the server; this can be alternatively viewed as the client claiming a distance at most di. The 
problem is how the server should make sure the request is eligible, i.e., the client is within distance di. This becomes more 
challenging if the server is deployed in a hostile environment, where malicious requests are likely to be received. We refer to 
this problem as distance bounding verification (DBV) as it involves the server (also called verifier) "verifying" an upper bound 
on its distance to the client (also called prover). The DBV problem captures various real-life scenarios in practice. Imagine for 
example a campus center that provides services such as remote printing, online library access, parking reservation depending 
on how close the client is to the center. A more practical scenario is location-based services for mobile devices | [22) , which 
provide their costumers with rewards and benefits when they check-in at certain venues. 

Despite the variety of the settings, "secure" distance estimation approaches often rely on signal's time of flight (ToF) 
Q since other signal properties, such as received signal strength (RSS) and angle of arrival (AoA) are much susceptible to 
different powerful attack adversaries. ToF-based distance estimation is achieved through a rapid exchange of challenge-response 
messages between the verifier and the prover. For each challenge-response, the verifier measures the round-trip time, subtracts 
the processing time of the prover, and divides this by the signal traveling speed to have an estimate of its distance to the 
prover 

Accurate time measurements in these protocols introduce implementation challenges pO) . Firstly, the verifier needs access 
to a high-precision clock to be able to measure the round-trip time with sufficient accuracy, since a small error leads to a 
large inaccuracy in distance estimates. Secondly, the verifier either needs a good estimate of the prover's processing time, or 
must assume it is negligible compared to signal's time of flight. In hostile environments, one cannot make a good estimate of 
the adversary's processing time and this may result in large eiTors in distance estimation. This indicates that the design and 
implementation of accurate ToF-based DBV protocols is still a challenge. This concern leads us to the following question: 
Q: Is secure DBV possible without using time measurement? 

We address the above question and initiate the study of secure DBV in circumstances where the verifier does not have access 
to an accurate clock and so cannot use ToF-based solutions. We investigate using physical-layer channel properties, namely 
path-loss and noise, as an alternative resource to time of flight for the purpose of distance bounding verification. Our approach 
can be seen as a security enhancement of RSS-based distance estimation methods, which assume the prover honestly reports 
back the signal power it receives from the verifier Knowing this power together with the channel loss as a function of distance, 
the verifier can obtain its distance to the prover. This solution however is not suitable when the prover reports a fake power. 
We alternatively propose using the combination of path-loss and noise properties in order to relate distance estimation to the 
signal-to-noise ratio (which in turn connects to bit-eiTor rate) at the receiver. This is the reason why for instance our wireless 
device cannot receive the wifi signals of a router when we are not within its transmission range, simply because signal is much 



weaker than noise. In this paper, we analyze this more formally and investigate how we can use these physical properties to 
achieve provable security in DBV protocols. To the best of our knowledge, this work is the first to formalize distance bounding 
verification using channel loss and noise. 

A. Problem description 

A DBV protocol is initiated by the prover (say located at distance dr) sending a request for a service 5c that corresponds to 
a distance dc- Due to this correspondence between the service and the distance claim, throughout the paper, we alternatively 
say that the prover sends a distance claim d^- 

The protocol proceeds in a number of communication rounds thereafter that let the verifier accept or reject the request (or 
claim) by deciding whether d^ < d^- We assume that the prover and the verifier communicate over a wireless environment that 
attenuates the transmitted signal and adds noise to it. In our setting, signal attenuation is a deterministic variable that reduces 
as a function of distance and noise is modeled by an additive Gaussian random variable with zero mean and certain variance. 
We refer to this propagation environment as the Path Loss and Additive Noise (PLAN) model. 

A secure DBV protocol should ideally allow the verifier to accept if and only if the prover's real distance is closer than 
the claimed distance {d^ < dc)- This not practically achievable however, as it infeasible to distinguish much close distances, 
one closer and one farther than dc (e.g., dc + £ and dc — e for small e). We here relax the ideal requirement of perfectly 
distinguishing between the above two distance regions (i.e., dr < dc and dr > dc) by including some uncertainty gaps. In this 
work, we use a real-valued parameter > 1, referred to as DBV ratio, for this relaxation. The knowledge of ip together with the 
claimed distance dc lets the verifier specify two distance regions dr < dc and dr > ipdc corresponding to the honest and attack 
scenarios, for which the protocol is expected to accept and reject, respectively. For a prover in the region, dc < dr < ipdc, 
the protocol may accept or reject, with probabilities that will depend on the implementation. For a service provider this region 
can be seen as allowing "free riders" with some probability. For high-precision distance bounding, it is possible to make the 
region arbitrarily narrow by choosing ip sufficiently close to 1. 

The performance of a DBV protocol is measured via false rejection probability, e^R, in an honest scenario andfalse acceptance 
probability, epA, in an attack scenario. We study three main types of attacks (i.e., scenarios where dr > ipdc) against DBV 
protocols. Distance fraud attack (DFA) |3 | refers to a scenario where a malicious prover claims a distance that is lower than 
its actual distance. Mafia fraud attack (MFA) Q is a man-in-the-middle attack where an intruding attacker positions itself 
between the verifier and an honest prover to claim that the prover is closer. In terrorist fraud attack (TFA) |9|, a malicious 
prover colludes with an intruder who is close to the verifier in order to convince the verifier that the prover is closer than it 
really is; the intruder, however, does not have the secret key of the dishonest prover We call a DBV protocol secure against 
an attack scenario if it has small false rejection probability in the honest scenario, and small false acceptance probability in 
that attack scenario. 

B. Outline of results 

The intuition is that signal attenuation and noise can be used to distinguish points at different distances without resorting to 
time measurement. In particular, for a distance claim dc, the verifier may be able to distinguish between the honest and the 
attack scenarios if it can send signals that behave differently at distances up to dc, compared to distances greater than i/jdc- 
This is naturally true because the signal to noise ratio (SNR) at the prover's receiver degrades as the prover moves father than 
dc- We use a very simple challenge-response protocol where the verifier sends a random binary-string challenge and accepts 
if and only if the prover's response is close enough (in Hamming weight) to the challenge. 

7 ) DFA-secure DBV protocol: We give a DFA-secure protocol by simply using the above challenge-response phase, where 
the fc-bit challenge is transmitted over the PLAN environment via the binary phase shift keying (BPSK) modulation. The BPSK 
modulation is power-adjustable, i.e., for a received distance claim dc, the verifier chooses an appropriate transmission power 
E for the modulator such that they are received (demodulated) with at most /3fc errors at distances < dc and with more than 
/3fc errors at distances > ipdc- By choosing k and /3 carefully and letting E be an appropriate function of dc, the verifier can 
stay with the same challenge length k and threshold rate < < 1 for all claims, by modulator changing E accordingly. 

2} Adding MFA-security to DBV: MFA-security for a DBV protocol can be easily achieved by authenticating messages 
between the prover and the verifier, so that they cannot be manipulated by a third-party attacker. This means protection against 
MFA is purely cryptographic and does not use the physical properties of the channel. This is totally different from the DB 
setting |^3J, where a mafia fraud attacker can activate a passive prover device by relaying (without changing) the verifier's 
challenge signal. Such relay attacks do not work against DBV protocols because DBV is initiated by the "prover" who would 
reject any incoming message before it sends a message (distance claim). Our DFA-secure DBV protocol can hence be changed 
to a DFA/MFA-secure protocol by simply using a message authentication code (MAC) for communicated messages. 

3) TFA-security and the bounded retrieval model: Our DBV solutions cannot resist TFA, because the malicious prover can 
always have a helping intruder at distance dc relay the challenge (by error-correcting codes or signal amplification) to distance 
dr > Ipdc- Unfortunately without putting further restrictive assumptions, such an attack succeeds, irrespective of the adversary's 



computational power, against any DBV protocol that does not use time-of-flight information. The reason is an appropriately 
located intruder can relay all protocol messages (including any signal-related information) back and forth between the other 
the prover and the verifier, without the verifier noticing. 

We adopt a restriction on the adversary's communication capability that will allow for TFA-secure DBV protocols without 
time measurement. We consider a variation of the bounded retrieval model (BRM) fToj , (12), described as follows. There is 
a high throughput uniform source, called the BRM source, that can be invoked by the verifier. The source generates an n-bit 
uniform binary string and transmits it with a high speed such that all parties (including the verifier) can only retrieve a constant 
fraction. A, of the string. Such a source can be implemented for instance by an "explosion" process which generates a lot of 
information that cannot be fully retrieved and stored ||8J. Using the BRM source output as the challenge message potentially 
protects the DBV protocol against TFA since it does not let the intruder capture "all" the transmitted challenge and relay it 
to the farther prover. We design a BRM-DBV protocol that uses appropriate primitives to guarantee that the collusion of the 
intruder and the prover cannot make them succeed in deceiving the verifier. We analyze the security of our protocol against 
two types of adversaries, namely sampling adversary and general adversary, depending on the adversary's retrieval capability. 
The sampling adversary is a practical framework in the BRM and allows for sampling individual bit. In contrast, the general 
adversary is a theoretically interesting setting that does not consider any limitation on the adversary's retrieving function other 
than its length. 

4) Numerical analysis: The introduced DBV protocols use computationally-efficient functions such as Hamming distance 
calculation, MACs, and samplers. The communication cost (number of communicated bits) of each protocol, however, depends 
on tp, epA, cpR, K and the environment parameters. We use numerical analysis to examine the performance of these protocols 
with respect to the above parameters. MFA/DFA security and TFA-security against sampling adversaries (in the BRM) can be 
attained for all input parameters, while TFA-security against general adversaries is achievable only for a certain range of the DB 



ratio ?/; and the retrieval rate A (more details in Section V-B i. Furthermore, DFA/MFA-security is achieved by communicating 
a few hundred bits for typical parameters, which is reasonable for ordinary communication devices, whereas TFA-security 
against sampling adversary requires more communication bits, which varies depending on ip and A. 

C. Discussion 

1 ) Practicality of the results: This work provides an interesting approach to DFA/MFA- secure DBV in real-life communi- 
cation scenarios and without requiring additional hardware for time measurement. Our DFA/MFA-secure DBV protocol has 
low computational and communication cost and can be implemented on communication devices with low-cost transceivers, 
e.g., cell phones, laptops, etc. The growing area of location-based services for mobile devices ([22) gives a good example 
where DFA-secure DBV is required, for when malicious clients launch a distance fraud by cheating on their location claim 
(via manipulating with the GPS information) 1 14] in order to receive illegitimate services/rewards. 

The results for the bounded retrieval model (BRM) provide an example of adversary's restriction that makes TFA-secure 
DBV without time measurement possible. A similar work to this is the study of BRM in position based cryptography ||8). 
Proposing more realistic models for designing secure distance bounding without time measurement is an interesting open 
question. 

2) Channel noise versus time of flight: This work inquires the physical properties of a natural propagation environment as 
an alternative to time measurement for DBV. Despite construction of protocols with security against the main known attacks 
in our setting, time of flight has some clear advantages: It does not depend on the characteristics of the environment and is 
superior when protection against TFA is considered. In return, a main advantage of our approach is that its performance does 
not depend on the computation time required by the prover. This advantage lets proposed solutions work for verification of 
very short distances, provided that the precise channel state information (attenuation and noise model) is derived. 

An interesting open question is if one can combine physical channel properties with time measurement to achieve better 
performance, for instance to reduce the required clock accuracy of time-based protocols without sacrificing security. 

3) The environmental assumptions: We have made two main assumptions in this work. Firstly, we modeled signal propagation 
environment by a widely-accepted, yet simple model that includes signal attenuation and additive Gaussian noise. We note this 
assumption is mainly for the simplicity of analysis. Modifying the analysis, similar results can be derived for more complex 
communication models, e.g., Reighley fading channels that cause the signal-to-noise ratios to become random variables. 

Secondly, although we did not make any assumption on the computation power of the adversary, we did assume that she 
has the same reception power as the honest prover. One can relax this assumption and consider a more powerful device for the 
adversary: Secure DBV under this condition can still be possible for higher DBV ratio implying a larger uncertainty gap. 

4) From DBV to DB protocols: It is quite important to know whether our DBV protocols can be used to build secure DB 
protocols that do not require the prover to know its distance, i.e., expect the protocol to output a verified distance bound. We do 
not treat this problem formally, but here are a few words on this topic. Assuming that the protocol should estimate a distance 
bound from a limited number of distances, say di to di for some small I, distance bounding can be obtained by repeating a 
DBV protocol (with carefully chosen parameters) for all these values in place of the distance claim and outputs the smallest i 



such that the claim di is verified via DBV. This approach provides distance bounding with security against distance fraud, but 
not mafia fraud since a relay man-in-the middle attack becomes irresistible. We note that this approach achieves MFA- and 
TFA-security in the bounded retrieval model. 

5) Single-session versus multiple-session DBV: We study single-session DBV protocols against computationally unbounded 
adversaries. For multiple-session use, the protocols will use fresh randomness and key information in each execution. This will 
ensure that the adversary's gained information in one session cannot be used in other sessions. For more efficiency in secret 
key size, one can assume computationally bounded adversary and use computationally-secure cryptographic primitives. 

D. Related work 

Various approaches have been proposed to obtain location information of untrusted parties in a communication network. 
Brands and Chaum [3| proposed distance bounding (DB) as a primitive that determines a distance upper-bound to a proving 
party. They introduced a time-based DB protocol that is secure against DFA and MFA. The follow-up work has since considered 
different formalizations of the DB problem in various settings and provided protocols with security against TFA and more 
advanced attack scenarios (cf. |4|, |6|, |TTj , 1 13|, p3] , pO) , |27|) Location verification is another primitive that uses distance 



estimation techniques to allow the verifier to check whether the proving party is inside a certain region |21|. Both distance 
bounding and location verification have found numerous applications in security: they are used as building blocks for secure 
localization |5|, location-based access control |19|, and position-based cryptography |8|. 

Although the main body of the work relies on time measurement for secure distance estimation, there have been attempts 
to find alternative secure solutions without using time. Balfanz et al. |1| investigated the use of location-limited channels 
for location verification. Caswell and Debaty |7| proposed obtaining proximity information via the concept of physically- 
constrained channels. These studies however do not provide a "formal" security analysis that shows how physical properties 
are used to realize these channel models. 

The effect of environment noise on time-based DB protocols has been considered by p3] , p7) , |23 1. These works approach 



noise as an undesired phenomenon that interferes with a DB protocol's operation; hence the work proposes protection 
mechanisms against environmental noise. In our contrasting viewpoint, the channel noise is a "blessing" in the sense that 
it allows to distinguish honest and distance fraud scenarios based on the reception quality at different distances. 

Paper organization 

Section [n] presents our notations and preliminary definitions. In Section|in] we give a formal definition of the DBV problem 



and settings. We introduce our DBV protocols and prove their security in Section IV and use numerical analysis to study their 



communication complexity in Section |V] We conclude the paper and give directions to future work in Section VI 

II. Notations and Preliminaries 

We use uppercase letters X and lowercase letters x to denote random variables/strings and their realizations, respectively. 
Xi denotes the i-th element of the string X. For a positive integer n, we use [n] to indicate {1,2,..., n}. We denote Hamming 
distance of two bit strings by dni-, •)■ logarithms are base 2. 

The basic component of our DBV protocols is a challenge-response phase over the noisy environment that lets the verifier 
accept only if the prover's response is close enough (in Hamming distance) to the challenge. The intuition for security is 
that receivers at far distances, with high probability, cannot guess a close string to the challenge. We formalize this notion of 
security through a class of sources, named closely-secure sources, which generalize weak sources by requiring an upper-bound 
on the probability of any element being close to the source output. 

Definition 1 (Closely-secure source): A random variable X E {0,1}" is {f3,S)-closely-secure if max^; Pr(c?i/(X, a:) < 
Pn) < 2^^'\ The source is 5)-closely-secure conditioned onY Ey if Ey maxj. Pr(c?/f (X, x) < /3n\Y = y) < 2 . 
Lemma [T] shows how leakage can affect the close-security of a source. The proof of this lemma follows simply from the chain 
rule for min-entropy and hence omitted. 

Lemma 1: Let the random variable X G {0, 1}" be (5)-closely-secure conditioned on Y and let A be any random variable 
with support size L. Then X is (/i, S — log(L)/n)-closely-secure conditioned on {Y, A). 

To protect DBV against mafia fraud, we use (information-theoretic) message authentication codes (MACs). A MAC is a 
shared key cryptographic primitive that protects a message against arbitrary tampering of an adversary. The code is defined by 
a function Mac : /C x — >■ T that takes a shared key sk e /C as well as a message m E A4 and returns an authentication tag 
t = Mac(sk; m). A message and tag pair [m' ,t') are then verified if t' = Mac(sk; m') holds. We limit ourselves to one-time 
MACs, defined as follows. 

Definition 2 (MAC): A function Mac : /C x T is called an e-secure one-time message authentication code (MAC) if for 

any message m G M and any adversary A : T AixT, holds that Pr[t' ~ Mac(SK; m')\{m' , t') = ^(Mac(SK; m))] < e, 
with the probability taken over the uniform key SK G /C. 



Another primitive used in this work is a sampler, which is an efficiently-computable function that receives some randomness 
as input and lets the BRM-DBV protocol retrieve part of the BRM source output in the BRM setting. For the purpose of this 
work, we use averaging samplers that are proposed due to their randomness efficiency ||2), p5| . 



Definition 3 (Averaging sampler): [251 A function Samp : {0,1}'" — >■ [n] is a (/i,6',7) averaging sampler if for ev- 



ery function / : [n] — > [0,1] with average value ^ /(*) — holds that Pr X]j=i < A* ~ ^ j < 7' where 

{ii, Z2, . . . , ik) ~ Samp{Ur) and Ur is uniform over {0, 1}''. The sampler has distinct samples if for every x E {0, 1}'', the 
samples produced by Samp{x) are all distinct. 

Vadhan |25| shows an explicit efficient construction for averaging sampling with distinct samples (as defined above), by 
modifying an existing sampler based on random walks on expander graphs. We show in Lemma [2] that averaging samplers 
keep the close-security property of a source as in Definition [T] This property is useful in proving the TFA-security of our 
BRM-DBV protocol. 

Lemma 2 (See Appendix^: Let the random variable X e {0,1}" be (/i, (5)-closely-secure conditioned on Y. Suppose 
Samp : {0,1}'' — > [n]'^ is a (/i, 0, 7) -averaging sampler with distinct samples. Then for uniformly distributed Ur G {0,1}'', 
the random variable M = Xsamp{Ur) is (/i — d, (5')-closely-secure conditioned on {Ur, Y), where S' ~ log(7 + 2^*") /k. 

III. DBV: Problem Definition 

A distance bounding verification (DBV) protocol is a two-party protocol between a verifier V and a (possibly untrusted) 
prover P that enables the verifier to verify an upper-bound on distance claim by the prover. The protocol is initiated by V 
receiving a distance claim supposedly sent by P whose real distance is d^. The protocol may have multiple rounds. In each 
round, one of the parties constructs a message using its current view of the protocol, including its secret state and the messages 
received so far At the end of the protocol the verifier outputs a Boolean value Vout G {Acc,Rej} indicating V has accepted 
or rejected the claim, respectively. 

We denote by c?o the maximum distance that can be claimed in the DBV protocol and by > 1 a real-valued parameter, 
called the DBV ratio. A distance claim dc < c?o together with partitions the area around V into three distance regions: (i) 
dr < dc, (ii) dc < dr < ipdc, and (iii) d^ > ipdc- See Figure [T| Region (i) that is the closest to V corresponds to the honest 
setting, denoted by Hon[V O P], where V is expected to output Acc. Region (iii) which is the farthest from V corresponds 
to an adversarial setting Att , where V should output Rej. Region (ii) between the other two regions specifies an uncertain 
region where the protocol's output cannot be guaranteed. The acceptance probability of V in this region decreases with distance 
from 1 to 0. To keep the uncertainty region small, the DBV ratio should be chosen sufficiently close to 1. 




Fig. I. The DBV regions specified by dc and ip. 

The performance of a DBV protocol is measured in terms of completeness and soundness using the two false rejection and 
false acceptance error rates, respectively. 

Definition 4 (DBV protocol): A DBV protocol is called a {tp, epA, eFR)-Att -secure, when it satisfies 

Completeness: Pr(Vrf o„t(Hon[V <-> P]) = Acc) > 1 - efr, (1) 
Soundness: Pr(Vrf o„t(Att) = Rej) > 1 - efa, (2) 

with probability taken over the randomness of the protocol, the adversary, and the environment. 

A. Adversarial scenarios 

We assume that the DBV protocol, its parameters and implementation, are publicly known. The adversary can listen to and 
tamper arbitrarily with the communicated messages. We consider the following adversarial scenarios against a DBV protocol. 
We note that an adversarial scenario always refers to when dr > ipdc, where ip > 1 is the DBV ratio. 

Distance fraud attack (DFA) jj^. The distance fraud, denoted by DFA[V f^- P], refers to a scenario where a dishonest prover 
P at distance d^ claims distance d^, such that d^ > ipdc, to the verifier aiming at convincing V of this claim. 



Mafia fraud attack (MFA) [9']. The Mafia fraud, MFA[V I P], consists of three parties: an honest verifier V, an honest 
prover P at the distance d^, and an intruder I who launches a man-in-the-middle attack. No restriction is put on the location 
of I. The attack begins with P sending an honest distance claim and I modifying it to a claim d^, where d^ > ijjdc- The 
rest of the attack is about I trying to convince V about this claim. Protection against MFA requires P and V to share secret 
key information by which V can distinguish P from I. We note that unlike in DB protocols |3J, I cannot succeed if it just 
relays messages between V and P as the first message in this attack scenario against DBV is an honest distance claim, i.e., 
the prover's real distance. 

Terrorist Fraud Attack (TFA) [9]. The terrorist fraud, denoted by TFA[V I f^- P], also includes three parties: an honest 
verifier V, a malicious prover P at the distance dr, a colluding intruder I that can be at any location. Similar to MFA-security, 
TFA-security also relies on secret key information shared between V and P. The prover's goal is to help I convince V of 
the distance claim d^ where d^ > ipd^, nevertheless without revealing crucial secret key information that would increase I's 
success chance in impersonating the prover without its permission. An impersonation attack, denoted by Imp[V -;-> A], refers 
to a scenario where an adversary A initiates a DBV protocol with V by sending a distance claim d^, while the prover at some 
distance dr > ipdc is unaware of this protocol initiation. 

Diirholz et al. [ |11J provide a formalization of the above requirement in TFA for time-based DB protocols. The definition 
however is given for multiple-session DB in the computational setting and cannot be applied to our setting of information- 
theoretic "single-session" time-less DBV. In our setting, the prover's secret key is used for "one" DBV protocol instance: Once 
an honest/attack DBV scenario is successfully completed, then the prover's secret key can be made public since it will become 
useless. However, the prover should not reveal its key prior to any protocol because it would let others impersonate the prover. 
Having noted this, we modify the formalization in fTl | to define terrorist fraud as follows: 

In a valid TFA, P may reveal any information to I as long as it does not result impersonation of P to be a more attractive 
attack (having higher success chance). We note that this leakage to I should be examined at a time before V "receives" the 
TFA distance claim d^, because after this moment V would reject any claims impersonating the prover; hence, rendering the 
leakage information V useless. But if leakage occurs before V receives the claim dc (say e.g., offline), the intruder may try 
to launch an impersonation attack instantly to claim a closer distance d'^ ^ d^, which corresponds to a higher-ranked service. 
Definition |5] formalizes this by requiring that Fs view by the time the distance claim is received by V does not increase its 
success chance in impersonation attack. 

Definition 5: Let TFA[V I P] be an attack scenario that provides I with view V before V receives the distance claim. 
This attack scenario is a valid TFA if for any impersonator A that takes V as input, there exists a simulator § such that 

Pr(Vrfo„t(lmp[V,§(±)]) = Acc) = Pr(Vrf o„t (lmp[V, A(y)]) = Acc). 

B. Physical-layer model: PLAN 

We consider an environment where wireless signal transmission is affected by Path Loss and Additive Noise (PLAN). We 
assume long-distance path loss without fading, in which signal amplitude at a distance d from the transmitter is obtained by 
dividing the signal transmission amplitude by -y/^d", where ^ > 1 is a constant representing the system loss and a > is 
the path loss exponent whose value varies between 2 (free-space) and 4 (flat-earth) |18, Chapter 4]. The additive noise is a 
Gaussian signal with zero mean and variance S. Thus in our model, a signal transmitted with the initial power E will be 
received at a distance d with power We specify a PLAN communication environment by PLAN^'"'^ where the three 
superscript parameters denote the system loss, the path loss exponent, and the noise power, respectively. 
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Fig. 2. The PLAN?'"'^ model 

Remark 1: We assume that the noise variables at distinct receiving positions in PLAN^'"'^ are independent. This is a very 
common assumption supported by the fact that the additive noise variables at different receivers are generated by independent 
sources ||24l 



Figure |2] models the transmission of a signal X over PLAN^ where intended and blocked receivers at distances d and 
ipd, for > 1, receive signals Y = (^d")""'^ X + Ny and Z = ^ + respectively, where Ny and are 

independent Gaussian random variables with zero mean and variance S. For signal transmission power E, the signal-to-noise 
ratios at the two receivers are calculated as SNRy ~ and SNR^ — — SNRy/ip"', respectively. 

IV. DBV Protocols over PLAN 

A. DFA-secure DBV protocol 

We give our basic DFA-secure DBV protocol as a challenge-response protocol which relies on power-adjustable Binary 
Phase Shift Key (BPSK) modulation for the purpose of signal transmission. Applying the BPSK modulation over the PLAN 
environment converts it to a binary symmetric broadcast channel (BSBC) with known bit error probabilities. The challenge- 
response protocol is then communicated over this binary channel. 

1} BPSK modulation: We use a power-adjustable BPSK modulation scheme with modulator Mods ■ {0,1} K and 
demodulator Demod : M — > {0, 1} defined as 



Modsis) = < ^ ' . , and 




„ , 0, if a: < 

Vemod(x) = < , (3) 

I 1, else 

where E is the transmission power chosen by the verifier Let Emax be the maximum allowed power at the transmitter, 
and do be the maximum distance that can be claimed to V. For a target distance d, the verifier chooses E — (^-^^ Eq, 
where Eq < Emax is the power considered for do- With a slight abuse of notation, we also use Mods / Demod functions for 
sequences, by which we mean applying them on symbols sequentially. 

The benefit of using power-adjustable modulation over PLAN^ "'^ is that it gives fixed signal-to-noise ratios SNRq and 
SNRo/tp" for all pairs of intended/blocked distances (d^ipd), where SNRq ~ yM%^ is a constant determined by the system 
parameters. This implies that all such pairs of channels can be mapped to a single binary symmetric broadcast channel (BSBC) 
as shown in Lemma [3] The proof is simple and hence omitted for lack of space. 

Lemma 3: Using ModE I Demod over PLAN^'"'^ converts channels from the verifier V to distances d and ^pd into a BSBC 
with intended and blocked receiver error probabihties 



Pi = ]^evic{./SNR^) and = ^erfc(^ ^^)^ (4) 

where SNR, = 

2} Challenge-response protocol: The challenge-response protocol takes advantage of noise in the PLAN^^"'^ environment 
to distinguish whether a claim belongs to an honest scenario or a distance fraud scenario. For positive integer k and real 
^'0 1^ Emax and < /3 < 1, the (i?0! /3)-challenge-response protocol. Hi, is described as follows. 

1) P sends a distance claim [dc] reliably to V. 

2) V chooses a random M e {0, 1}'', and broadcasts X = ModE{M), where E = {d^ / do)"' Eq; P receives Y. 

3) P demodulates and sends M — DemodiY) reliably to V . 
- Verification. V accepts iff dH{M,M) < /3fc. 

Remark 2: Notice the difference between communication from the prover to the verifier and that in the opposite direction. 
The verifier transmits the challenge via BPSK modulation with appropriate power to cause distinguishably different signal-to- 
noise ratios between acceptable distances d^ < dc and fraud distances dr > tpdc- Since the prover is generally not trusted, the 
protocol does not rely on the communication noise/attenuation in prover-to-verifier messages. The protocol expects the prover 
to use reliable coding and reasonable transmission power to provide reliable communication; hence without loss of generality, 
we assume this communication is error-free. 

A (_Eo, fc, /3)-challenge-response protocol is a (V', cfa, eFR)-DFA-secure DBV protocol if for any claim dc < do, no more 
than (3k challenge bits are corrupted at distances < dc, and more than (5k challenge bits are corrupted at distance > i/'dc, 
except with probabilities epR and epA, respectively. 

Proposition 1 (See Appendix^: Given DBV parameters 1/;, epA, and epR, and PLAN^'"^^ parameters, choose Eo < E^ax 
and Pi < (3 < py,, where pi and pb are determined from (j4]). The (i?o, fc, /3)-challenge-response protocol. Hi, with challenge 
length 

f„^(ta±|)MiA=) , '^';-)'°<'/';') )i. (5) 



(V', cfa, eFR)-DFA-secure DBV protocol over PLAN^'"'^. 



B. Adding MFA-security to DBV 

To make a DBV protocol against mafia fraud, one can simply use message authentication for the communicated messages. 
This makes an intruder I not able to manipulate with the communication, especially the prover P's distance claim which is true 
(honest) in the MFA scenario. Again note that a relay attack cannot succeed against DBV because the protocol is initiated by 
the honest P whose claim is not what I would desire. This is completely different from the distance bounding problem where P 
waits to be activated/challenged by the verifier V, through a signal that can be relayed I. As we consider information-theoretic 
security for our protocol, we use information-theoretic message authentication code (MAC), given by Definition [2] Figure [3] 
shows a DFA/MFA-secure DBV protocol, 112, which is obtained by incorporating an e-secure one-time MAC (with e < epA) 
to P's response in the protocol Hi of Section IV-A We denote the MAC function by Mac : JCa x ({0, 1}" x 2?) — > T and 
assume V and P share a secret key SKj, e JCa- The communication, shown in brackets, from P to V is assumed to error- free 
(see Remark [2]). 



Verifier (SK) 




Prover (SK) 




K] 

< 




da =^ E 

X = ModE(M) * 






[M, T] M = Demod{Y) 
* T = Mac(SK; (Af, de)) 


Vrf out = Acc, iff: 
diff(M, M) < pk and 

T = Mac(SK; (M, dc)) 







Fig. 3. DFA/MFA-secure DBV protocol U2 

Corollary 1: Let parameters (i^Oj 13) be chosen as in Proposition [T] and Mac be an e-secure one-time MAC with e < epA- 
The DBV protocol 112 is (-0, Cfa, eFR)-DFA/MFA-secure over PLAN^' ■ . 

C. Adding TFA-security to DBV 

We observe that without assuming any restriction on the communication capability o/P and I, it is impossible to design a TFA- 
secure DBV protocol that does not rely on time measurement on the verifier's side. This can be seen by noting that the channel 
between P and I can be made error-free (by using error correcting codes) and instantaneous (without time measurement). The 
appropriately located intruder can "relay" all protocol messages (and other related signal information) back and forth between 
P and V, without V noticing. Such an attack scenario does not require I to know any secret key information owned by P and 
is thus a valid terrorist fraud as in Definition |5] 

1) The bounded retrieval model: Protecting against terrorist fraud in DBV may be possible if restrictive assumptions are 
made about the adversary's communication power. In the following, we describe a variant of the bounded retrieval model 
(BRM) that restricts the communication capability of the parties in the system. BRM is a variation of bounded storage model 
first proposed in y_6|. In both cases there is a random source that generates strings with high min-entropy. Bounded storage 
model puts a bound on the amount of parties' storage. In BRM however pO) , | [T2| , there is no limit on the parties storage, 
rather the adversary's retrieval rate of the stored strings is limited. 

BRM source. We assume there is a X-BRM source, denoted by Src^, that takes as input a transmission power E, generates 
a uniform n-bit string O, and transmits Xq ~ AlodsiO) using the BPSK modulator. We assume that the verifier V can 
select the transmission power, but has no control over the source output. The retrieval rate < A < 1 implies that each party 
(including V) can retrieve at most An bits from the string. Honest parties use sampling to retrieve Xn individual bits. The 
adversary however may or may not have more communication capability. A sampling adversary, like honest parties, can only 
retrieve individual bits at specific indices. But a general adversary can apply any An-bit function to her observation. While 
the latter adversary is more powerful, the sampling adversary is reasonably interesting as one may argue that the applying any 
function other than sampling would require retrieving more bits from observation and hence would violate the BRM condition. 
Practical examples of implementing such a source is an "explosion" which generates a lot of noise that can be measured but 
not stored |8| or a system of high-speed transceivers that broadcast random data at a very high rate over the environment. 



2) The BRM-DBV Protocol: We describe the BRM-DB protocol that is DFA/MFA/TFA-secure in the BRM. We assume 
that V and P share a key SKe € {0, 1}'' that is used for samphng the BRM source output. 

Averaging sampler We use "averaging sampler" Samp, given by Definition |3] This primitive takes as input a secret key SKg 
shared between V and P and returns them k = Xn positions to sample from the BRM source output. 

The reason for TFA-security is that the challenge in the BRM-DB protocol is hidden in the BRM source output and retrieving 
it needs SKg. Without the key knowledge, the intruder can only retrieve a random part of the source output, which cannot help 
much the (malicious) prover find an acceptable response. The protocol proceeds in three rounds as shown in Figure |4] (again 
the communication from P to V is error-free). 

1) P sends a distance claim [dc] reliably to V. 

2) V invokes the source Src\{E) with E = (^^^ Eq; the signal Xq € is transmitted and P receives Yq. 

3) P uses Samp to retrieve Ym = Yo.samp{SK^)^ obtains M = ModE{YM), and sends back [M]. 
- Verification. V obtains AI = Xo,Samp{SK^) and accepts iff dniM, M) < /3k, for k = Xn. 
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Prover (SKe) 
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Ym = io,Samp(SKe) 

M = Demod{YM) 


Xm = ^0,Samp(SKe) 

M = Demod{XM) 
Vrf o„t = Acc, iff: 

dH{M, M) < 13k 







Fig. 4. The BRM-DB protocol in the BRM 

Theorem [T] shows the TFA-security of the above protocol in the general adversary setting. 

Theorem T(See Appendix\C\: Given A < log(e)/2, DBV parameters ip, epA, and 6™, and PLAN^'"'^parameters, if there 
exists Eq < Ejnax such that pi < Pb— ^2 \n{2)pYyX, with p; and pb given by Lemma 3 then the following holds. Choose (3, 
9, fi, k, n such that pi < {3, pi = P + 0, ^ < p^ — ^21n(2)pbA, 

and n = \k/X~\ . The BRM-DBV protocol is {ifj, epA, epR)-DFA/MFA/TFA-secure over PLAN«'"'^in the A-BRM with general 
intruder. 

redThe result shows the possibility of TFA-secure distance bounding verification in the BRM. The construction, however, 
will only work under the condition that Pi < Pb — ^2 ln(2)pbA. This gives that choosing A < log(e)/2 « 0.72 is necessary 
but not sufficient as satisfying the condition depends on other parameters, esp. the DBV ratio ip. The numerical analysis of 
Section [V-A| shows that retrieval rate should be are around 0.1, which is much lower that the above bound. In contrast to the 
above, the BRM-DBV protocol shows much better security performance in the sampling adversary setting. 

Theorem 2 (See Appendix^): Given A < 1, DBV parameters ip, epi, and epR, and PLAN^'"' parameters, if there exists 
Eq < Emax such that Pi < (T^ A)pb^ with pi and p^ given by Lemma [3] the the following holds. Choose /3, 6, /i, k, n such 



and n = [fc/A]. The BRM-DBV protocol is (t/;, epA, epR)-DFA/MFA/TFA-secure over PLAN^ "'^in the A-BRM with 
sampling intruder. 

From Q, any arbitrarily small Pi/ph is achieved by choosing Eq and hence SNRq sufficiently large. We however should 
note that when E^ax is not very large, some values of Pi/ph may not be achievable with Eq < Emax (more details in Section 
1^. 



V. Numerical Analysis 

The DBV protocols Hi, 112, and Ha proposed in this work are computationally efficient as they use light-computation 
functions such as Hamming distance calculation, a one-time MAC, and an average sampler |j25). The communication cost of 
the protocols however, defined as the number of communicated bits, may vary depending on the system parameters ip, epA, 
epR, and A (for the BRM-DBV protocol). 

We study the performance of the introduced DBV protocols with respect to the system parameters, while choosing the 
following typical parameters as default: We consider PLAN^^"'^ environment with no system loss ^ = 1, outdoor path 
loss exponent a — 3, and noise power S — IpW « — 90dBm. We also let the maximum allowed transmission power be 
E 



I.e. 



ax = 30kW ~ 75dBm (reasonable for small radio stations), and the maximum allowed distance claim be do 
any distance claim less than 100km is accepted by the system. 



100km, 



A. DBV protocols Hi and II2 

For the communication cost, we need to obtain the length of the verifier's challenge. Given PLAN^'"^^and DBV parameters 
ip > 1 and < EpA: fipR < 1^ we shall obtain the challenge-response parameters {Eq, k* , /3*) that give a {tp, epA, eFR)-DFA-secure 
DBV protocol, while minimizing the required challenge length. We study the behavior of the minimal challenge length k* 
with respect to the DBV protocol parameters Efa, Efr); for simplicity, we assume equal error probabilities epA = Cpr = e. 
Following Proposition [T| the optimal challenge-response parameters are determined by minimizing (j5]l as 



fe* 



rin(l/e) min 



min maxj 

. Pi<;3<pb (/3 



(Pi + /3) 



(2pb) 



r}l, 



(8) 



' (Pb-/3)2 

and letting Eq and /3* be choices that result in k* . Figure [5] graphs the changes in k* (in bits) and Eq (in dBm) as functions of 
1 < ip < 1.5 for e G {10"'^, 10^^, 10~^}. The upper graph shows that k* increases by decreasing the DBV ratio t/j; however, 
it remains in a reasonable range, e.g., 231 to 2629 bits for ^ from 1.1 to 1.01. The lower graph shows that Eq increases 
when tp increases; however, its value does not depend on e as expected from (j8|. We also note that the optimal choice of 
Eq is typically far less than the maximum allowed power E„iax = 75dBm. The reason is that increasing Eq, increases the 
signal-to-noise ratios at both receivers, which do not necessarily minimize dSll. 
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Fig. 5. Changes in challenge length k* and power Eq w.r.t. ^ and e. 



B. DBV protocol Hj, against sampling and general intruders 

We follow a similar approach to the previous section to find the minimum n that is required by this protocol in the BRM. 
We start by requiring TFA-security against sampling intruder and then discuss about the general intruder case. 

1 ) Sampling intruder: According to Theorem [T] the minimum n is obtained as (by considering 9 and 7 to be negligible) 

n* = riln(l/e) min min 

A Eo<-Bmax Pi</3<{1-A)pb 

\/3-Pi)^ ' ((l-A)pb-/3)^^'- 

The above expression for n* is very similar to ([8| for k*, except that pb is replaced by (1 — A)pb and a 1/A coefficient is 
included in the expression. This reveals that the communication complexity of II3 can be much higher than Hi (and also 112). 



For small A, we get (1 — A)pb ~ Pb and increase in the communication complexity is caused by 1/A factor in (j9]l. For larger 
A, the minimization in (|9]l results in much higher value than that of ([8]). Figure 6(a) includes two graphs. The lower graph 
shows the maximum BRM rate A* (for which TFA-security against sampling intruder is guaranteed) as a function of the DBV 
ratio ip. When t/j is too small, the TFA-security cannot not hold for all A's only because the transmission powers is bounded 
by Emax- Of course, by letting E,nax be sufficiently large the protocol will work for all ip's and A's. The upper graph 
illustrates the behavior of n* with respect to ijj for A e {0.1,0.5,0.9}. Both increasing A and decreasing can cause drastic 
increase in the length n*, such that for ijj = 1.06 and A = 0.9, the BRM source should send around 2 Gigabits of random 
data. 
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(a) Sampling intruder scenario. 
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(b) General intruder scenario. 
Fig. 6. Changes in source output length n* and retrieval rate A* w.rt. i/) 



2) General intruder: For general intruder the results are much restrictive, mainly because Theorem [T] provides security 
guarantees only if the set of input parameters satisfy Pi < Pb ~ ^2 ln(2)pbA, and these cases are quite limited as shown in 



Figure 6(b) The lower graph indicates that the BRM rate A should be too small for TFA-security against general intruder, 
e.g., for ^jj — 1.68 the rate A cannot be more than 0.1. The upper graph then draws n* as a function of if] when A = 0.1: the 
numbers suggest that when security guarantee can be provided, the BRM source output length can be reasonably small, e.g., 
n* = 1071 for = 1.68. 

VI. Conclusion 

We proposed the study of distance bounding verification (DBV) using physical channel properties as an alternative resource 
to time of flight. We showed practical solutions for DFA and MFA secure DBV. Unfortunately, TFA-secure DBV without 
using time measurement is not possible in general; this is evidence to the effectiveness of time of flight for secure distance 
estimation purposes. We however proved the possibility of TFA-secure DBV in situations where the bounded retrieval model 



can be realized. There are numerous open questions and future research directions that follow from this work. It is a nice 
direction to use the noisy environment properties together with time to increase accuracy and/or security of DBV protocols. 
Considering practically meaningful restrictions on the attackers to provide security against TEA is also of practical interest. 
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Appendix A 
Proof of Lemma[2] 

For any m G {0, l}*"' and sampling sequence (5*1, . . . , Sk) — Samp{Ur) and define x G {0, 1}" such that 



Vi G [n] : Xi 



rrij, if3j : i — Sj 
0, else 



Since X is (/i, (5)-closely-secure conditioned on Y, we have Ey max^ Pr{dH{X,x) < fin\Y = y) < 2-*". Define = 
X © X G {0, 1}" and the event £,j. to be true when ^ X^ILi ^x.i > 1^'^ this gives Ey max^ Pt{£^\Y = y) < 2-^'\ Conditioned 
on £x, the averaging sampler guarantees that 



1 



We complete the proof as 



:Pr (^dH{M,m) < {/i - theta)k\Y = y,Ur = 
1 

= Ey^u maxPr ^ ^x,Sj < M ^ S\Y = y,Ur = uj 

i = l 

1 

< Ey^u maxPr ^ A^,s^. < ^ — 9\£j:, Y = y,Ur = u 



+ Pr{£^\Y = y,Ur = u) 



1 

£y,„maxPr(-^A,,s, < A* - fillf^) + Pr (£,\Y^y 



< 7 + 2-*" 



Appendix B 

Proof of Proposition[T1 DFA/MFA-Secure DBV 

For any choice of Eq < E,nax, the error probabilities pi and > Pi (at distances dc and ^dc, respectively) are determined 
by Lemma [3] For uniform challenge M S hset^, let X = ModE{M) be transmitted and F and Z be received at distances 
dc and ^/idc, respectively. For an honest prover at distance d^, the probability of being rejected equals to the probability that 
there are more than (3k errors in M = Demod{Y). The completeness condition of Definition [4] requires 

Y^(%l{l-p,f-^ <e,^. (10) 

For a dishonest prover at distance ij^d^, the best probability of being accepted is obtained by choosing Demod{Z) as response, 
noting that pb < 0.5, the communication channel is memoryless, and the challenge is uniform. The acceptance probability 
hence equals to the probability that there are at most j3k errors in Demod{Z). The completeness condition of Definition |4] 
requires 

E (J)K(l-Pb)'=-^<eFA. (11) 



We let Pi < 13 < pb and apply Chernoff's inequality to simplify (10i-(ll 



as 



These inequalities suggest 



exp — k < efr, and cxp k < efa. 

' 13 + Pi J \ 2pb ' 



(Pi+^3)ln(l/e™) (2pb)ln(l/£FA), 



Appendix C 

Proof of Theorem[T1 BRM-DBV - general intruder 

We shall show that the BRM-DBV protocol is complete and is sound against all three attacks. The completeness follows 
directly from the DBV protocol 112. Soundness against DFA and MFA is also implied by TFA-security, because these two 
attacks against the DBV protocols becomes special cases of terrorist fraud: DFA can be realized when I does not do any 
activity, and MFA can be realized when P follows the protocol honestly. Thus, we only focus on TFA-security, for which we 
should assume that P is really located at a distance d,. > ijjdc- 

Without loss of generality, we consider the strongest TFA scenario where all communication to and from I is error-free (it is 
literally located pretty close to V) and P's distance is the dr = ipdc- V's BRM source sends Xq over the PLAN environment, 
P observes Yq, and I observes (with no error) Xq', however, each party can only retrieve k — Xn bits from what they observe. 

Upon receiving Xq (or its binary equivalent O), I retrieves /adv(O) for some function /adv : {0, 1}" -+ {0, l}'^ which is 
chosen based on the leaked knowledge W about SKg, which is given by P to I. The definition of TFA requires that W does not 
increase Fs success chance in impersonation. We give a proof sketch to argue that W cannot help improve the TFA's success 
chance either. (We do not provide a formal proof due to lack of space.) The above requirement on W implies the independence 
of W and the averaging sampler output Samp{SKe); otherwise, knowing about the indices of X selected by the sampler 



would increase I's chance in impersonation. We can thus replace the key SKg with a new variable SK'g that is independent of 
W and whose values determine all possible outputs from Samp{SKe)- This suggests that either SKe is independent of W or 
it can be replaced by SK^ that is independent of W. Hereon, we assume that W and hence /adv( ) are independent of SKg. 

On the prover's side, there is the noisy signal Yq as well as the secret key SK. Letting V ~ {fa,dv{Xo),Yo, SK) we shall 
prove: 

£;„maxPr(dH(M,m) < /3k\V ^ v) < Efa- (12) 

m 

For fixed Eq, let pt, be the bit error probability in P's receiver (at distance d^) which is obtained from Lemma [3] Using 
Chernoff's inequality shows that for any /i < pb. 



Ey max Pr 



{dH{0,o) < iin\Yo = y 



^i:(:>ui-P.)"-'^»p(-!^»)^ 

That is O is (/i, (5i)-closely-secure conditioned on Yq, where — . Using Lemmajljshows us that O is (52)-closely- 

secure conditioned on {Yo^ fa.dv{Xo)), where S2 = Si — \ is positive because /i+ln(2)A+ (ln(2) A)^ + 2 ln(2)/iA < pb holds 
by the theorem. We now apply Lemma l2]which gives us that M is (/?, (5')-closely-secure conditioned on {Yq, /adv(^o), SK), 
where (3 = ji — 6 and 6' = log(7 + 2^^^)/k = log(eFA)/fc as mentioned by the theorem. This completes the proof. 

Appendix D 

Proof of Theorem[2J BRM-DBV - sampling intruder 

The proof here requires one step modification compared to that of Appendix |C] (for Theorem [T]), which relies on the sampling 
intruder assumption. For this intruder, the retrieval function /adv : {0, 1}" — > {0, 1}'' is a sampling function, i.e., /adv(O) = O7 
for some fixed set of k indices / = {ii, . . . Q [n], which is selected independently of SK. Let / = [n] — I denote the 
complement of /. Given (Yq, /adv(O)), the adversary first determines Oi, calculates O' ~ DemodiYo), and uses each bit of 
O'j to obtain some information about the corresponding bit of Oj. 

For fixed Eq, let pb be the bit error probability at distance d^., obtained from Lemma |3] We calculate 5 such that O is 
(/I, (S)-closely-secure conditioned on (lbj/adv(0)) as follows (we use Chernoff's inequality since < (1 — A)pb). 



Ea.y maxPr 



(dH{0,o) < ^ln\Yo ^ y, hdAO) 
{dH{Oi,oi) < fin\0'j = I 



Eci'_ max Pr 

i<fl7'L 

((1 - A)pb - f^r 

2(1 - A)pb 

((1 - A)pb - 



< exp 
S < 



21n(2)(l~A)pb 

Applying Lemma |2] lets us conclude that M is (/3, J') -closely-secure conditioned on (Yq, fa.dviXo),SK), where /3 = ^ — 9 
and 6' = log(7 + 2^^'"-)/k which equals log(eFA)/fc according to the theorem. 



